The Florida Digital Bill of Rights (FDBR): Navigating the New Frontier of Data Privacy

Sameer Ahirrao -

The Florida Digital Bill of Rights (FDBR), enacted in July 2024, has transformed data privacy in Florida. This law grants residents more control over their personal data, providing clear guidelines for accessing, correcting, and deleting information. Let's examine the main elements of the FDBR and its effects on consumers and businesses.

What is the Florida Digital Bill of Rights?

The Florida Digital Bill of Rights (FDBR) is the state's data privacy law, though it's not as extensive as some other state consumer privacy laws. It mainly targets large businesses due to its high applicability thresholds.

In simple terms, if your business doesn't meet certain revenue levels or handle data from a significant number of Florida residents, the FDBR probably won't affect you.

The Florida Digital Bill of Rights became effective on July 1, 2024.

Is the FDBR appropriate for my business?

The Florida Digital Bill of Rights (FDBR), created by Senate Bill 262, applies to specific large businesses and includes essential measures for safeguarding personal data. Here's an overview of who it affects and how it works:

Large Businesses

The FDBR mainly affects businesses with annual gross revenues exceeding $1 billion, and which also meet one of the following criteria:

  • Operate a consumer smart speaker with an integrated virtual assistant connected to a cloud computing service.
  • Derive 50% or more of their global annual revenues from online ad sales.
  • Operate an app store or digital distribution platform with at least 250,000 apps available for download.

Broader Applicability

The FDBR also includes provisions that apply more broadly to for-profit businesses that collect and process personal data about Floridian consumers, particularly regarding the sale of sensitive personal data. This sensitive data includes personal information revealing:

  • Religious beliefs
  • Racial or ethnic origin
  • Sexual orientation
  • Health diagnoses
  • Data collected from children
  • Genetic or biometric data

In summary, while the FDBR primarily targets large businesses, it also encompasses provisions that apply to any for-profit business handling sensitive personal data of Florida residents.

Exemptions from the Florida data protection law

The FDBR's rules do not apply to certain entities and types of data, including:

  • Nonprofit organizations
  • Government entities
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
  • Higher education institutions
  • Covered entities under HIPAA

Although many of these entities wouldn't meet the thresholds for the FDBR, the law explicitly excludes them.

Is the Florida data privacy law applicable to small businesses?

The Florida privacy law generally doesn't apply to most small businesses. While there are thresholds that, if met, would subject a small business to the law, this scenario is quite unlikely.

What are the newly established consumer rights and protections in Florida?

The FDBR grants Floridian consumers several rights akin to those in other state privacy laws, including the rights to access, correct, delete personal data, and opt out of the sale of personal data. It also has specific provisions for protecting children's online privacy.

However, it's important to note that these rights only apply if the business meets the stringent applicability thresholds. Simply being a Florida resident does not automatically grant these rights.

How can businesses adhere to the requirements of the Florida privacy act?

The Florida Digital Bill of Rights (FDBR) establishes various obligations for businesses that fall under its jurisdiction. Here are the key mandates:

Respond to Consumer Rights Requests:

  • Right to Correct: Consumers can request corrections to any inaccuracies in their personal data.
  • Right to Access: Consumers have the right to request access to their personal information.
  • Right to Data Portability: Consumers can obtain a copy of their personal data in a portable and readily usable format.
  • Right to Delete: Consumers have the right to ask for their personal data to be deleted.
  • Right to Opt-Out: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and certain types of profiling.

Obtain Consent for Processing Sensitive Data:

Businesses must obtain explicit consent for processing sensitive data, including:

  • Religious beliefs
  • Racial or ethnic origin
  • Sexual orientatio
  • Mental or physical health diagnoses
  • Genetic or biometric data
  • Citizenship or immigration status
  • Precise geolocation data
  • Personal data collected from a known child

Provide Privacy Notices:

Businesses must provide consumers with privacy notices that describe:

  • The purposes for processing personal data
  • The categories of personal data processed
  • The types of personal data shared with third parties and the types of third parties themselves
  • How consumers can exercise their data rights?

Conduct Data Protection Impact Assessments:

Businesses must evaluate the risks associated with their data processing activities, especially those involving sensitive data or significantly impacting consumers.

Written Contracts with Data Processors:

When using third-party processors to handle personal data, businesses must have contracts outlining the responsibilities and obligations of each party. These agreements should specify provisions for confidentiality, the deletion or return of data upon termination, and cooperation with the controller's assessments and audits.

Additional Prohibitions:

  • Avoid Dark Patterns: Businesses must not use manipulative tactics to obtain consent.
  • Protect Children: Businesses must not process personal information that may result in substantial harm or privacy risks to children.
  • Surveillance Restrictions: Businesses must not use certain data collection features for surveillance without explicit consumer authorization.

What specific notifications does Florida require for sensitive data?

Businesses covered by the Florida data protection law that sell sensitive or biometric data must explicitly state in their notices:

  • "NOTICE: This website may sell your biometric data."
  • "NOTICE: This website may sell your sensitive personal data."

FDBR Enforcement and Compliance

Violations of the FDBR can result in civil penalties of up to USD 50,000 per violation, significantly higher than other US state privacy laws. The penalties can triple if:

  • The entity fails to delete or correct personal data upon request.
  • The violation involves a minor under 18.
  • The entity continues to sell or share personal data after the consumer has opted out.

The Florida Attorney General enforces the law. The procedure begins with a 45-day cure period. If the violation is not resolved within this period, the Attorney General can issue penalties.

The law does not grant Florida residents a private right to action.

About Ardent Privacy

Ardent’s mission is to help enterprises implement meaningful security and privacy programs aligned to their business mission, building trust and protecting data assets. Ardent’s technology “TurtleShield” is a holistic software platform that empowers enterprise security, legal, and data teams to implement and manage data privacy within the organizations with rapid data asset visibility and actions to enable privacy compliance, govern AI risk, meaningful data protection, and reduce cost of compliance and data breaches. Our unique and patented ML/AI-powered technology helps organizations comply with evolving privacy and AI regulations and accelerates adoption of AI technologies. Ardent offers a low code platform to automate Privacy & AI governance, rapid discovery of data assets and consent management with regional focus for global regulations.